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Abstract: We study the hst-decoding problem of ahernant codes, with the 
notable case of classical Goppa codes. The major consideration here is to take 
into account the size of the alphabet, which shows great influence on the list- 
decoding radius. This amounts to compare the generic Johnson bound to the 
q-ary Johnson bound. This difference is important when q is very small. 

Essentially, the most favourable case is q — 2, for which the decoding radius 
is greatly improved, notably when the relative minimum distance gets close to 
1/2. 

Even though the announced result, which is the list-decoding radius of binary 
Goppa codes, is new, it can be rather easily made up from previous sources 
(V. Guruswami, R. M. Roth and I. Tal, R .M. Roth), which may be a little 
bit unknown, and in which the case of binary Goppa codes has apparently not 
been thought at. Only D. J. Bernstein treats the case of binary Goppa codes in 
a preprint. References are given in the introduction. 

We propose an autonomous treatment and also a complexity analysis of the 
studied algorithm, which is quadratic in the blocklength n, when decoding at 
some distance of the relative maximum decoding radius, and in OirJ) when 
reaching the maximum radius. 

Key-words: Error correcting codes, algebraic geometric codes, list-decoding, 
alternant codes, binary Goppa codes 
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Decodage en liste des codes de Goppa binaires 
jusqu'a la borne de Johnson binaire 

Resume : Nous etudions le decodage en liste des codes alternants, dont notam- 

mcnt Ics codes dc Goppa classiqucs. La consideration majeure est de prendre cn 
compte la taille de I'alphabet, qui influe sur la capacite de correction, surtout 
dans le cas de I'alphabet binaire. Cela revient a comparer la borne de Johnson 
que nous appelons gcncrique, a la borne de Johnson que nous appelons q-aire, 
qui prend en compte la taille q du corps. Cette difference est d'autant plus 
sensible que q est petit. 

Essentiellement, le cas le plus favorable est celui de I'alphabet binaire pour 
lequel on peut augmenter significativement le rayon du decodage en liste. Et 
ce, d'autant plus que la distance minimale relative construite du code alternant 
binaire est proche de 1/2. 

Bien que le resultat annonce ici, a savoir le rayon de decodage en liste des 
codes de Goppa binaires, soit nouveau, il peut assez facilement etre deduit de 
sources relativement peu connues (V. Guruswami, R. M. Roth and I. Tal, 
R .M. Roth) et dont les auteurs n'ont apparemment pas pense a aborder les 
codes de Goppa binaires. Seul D. J. Bernstein a traite le decodage en liste 
des codes de Goppa dans une prepublication. Les references sont donnees dans 
I'introduction. 

Nous proposons un contenu autonome, et aussi une analyse de la complexite 

de I'algorithme ctudic, qui est quadratiqiie en la longiieur n du code, si on se 
tient a distance du rayon relatif de decodage maximal, et en 0{n7) pour le rayon 
de decodage maximal. 

Mots-cles : Codes correcteurs d'erreur, codes geometriques, decodage en 
liste, codes alternants, codes de Goppa binaires 
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1 Introduction 

In 1997, Sudan presented the first list-decoding algorithm for Reed-Solomon 
codes |Sud97] having a low, yet positive, rate. Since the correction radius of Su- 
dan's algorithm for these codes is larger than the one obtained by unambiguous 
decoding algorithms, this represented an important milestone in list-decoding, 
which was previously studied at a theoretical level. See |Eli91) and references 
therein for considerations on the "capacity" of list-decoding. Afterwards, Gu- 
ruswami and Sudan improved the previous algorithm by adding a multiplicity 
constraint in the interpolation procedure. These additional constraints enable 
to increase the correction radius of Sudan's algorithm for Reed-Solomon codes of 
any rate [GS99j . The number of errors that this algorithm is able to list-decode 

corresponds to the Johnson radius eao{n, d) = n — n{n — d) ~ 1, where d is 

the minimum distance of the code. 

Actually, when the size q of the alphabet is properly taken into account q, 
the bound is improved up to 



eq{n,d) 




1, 



where 9q = I — ^. See jGurOTi Chapter 3] for a complete discussion about these 
kinds of bounds, relating the list-decoding radius to the minimum distance. 
Dividing by n, and taking relative values, with S — ^, we define Tao{S) — £2^iihf^)^ 
and Tg((5) = 2ii^2£L^ which are 



Tr 



,{6) = i-VT^, T,{s) = eji- Ji--\ (1) 



1 . 



Note that 7-^(15) gets decreasingly close to Tac,{S) when q grows, and that T2{n, q) 
is the largest, see Figure [TJ We call Too{S) the generic Johnson bound, which 
does not take into account the size of the field, and indeed works over any field, 
finite or not. We refer to Tq{S) as the (7-ary Johnson bound, where the infiuence 
of q is properly reflected. 

The truth is that the Tq{S) radius can be reached for the whole class of 
alternant codes, and this paper presents how to do this. We have essentially 
compiled existing, but not very well-known results, with the spirit of giving 
a report on the issue of list-decoding classical algebraic codes over bounded 
alphabets. First, we have to properly give credits. 

Considering the possibility of varying multiplicities, Koetter and Vardy pro- 
posed in 2001, an algebraic soft-decision decoding algorithm for Reed-Solomon 
codes jKV03| . This method is based on an interpolation procedure which is 
similar to Guruswami-Sudan's algorithm, except that the set of interpolation 
points is two dimensional, and may present varying multiplicities, according the 
reliability measurements given by the channel. Note that the idea of varying 
multiplicities was also considered in |GS99| . as the "weighted polynomial re- 
construction problem" , but was not instantiated for particular cases, as it was 
done by Koetter and Vardy. Before the publication of |KV03) . also circulated 
a preprint of Koetter and Vardy [VKOO] , which was a greatly extended version 
of |KV03| ■ with many possible interesting instances of the weighted interpola- 
tion considered. In particular, the authors discussed the decoding of BCH codes 
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Figure 1: Comparison of the limit generic Johnson bound Toc{S) and the hmit 
q-ary Johnson bounds Tq{S), for smah q. Note that the each curve ends at 
5 ~ 6„ = 1 — which is the maximum relative minimum distance of codes of 
positive rates over F„, from the Plotkin bound. 



over the binary symmetric channel, and reached in fact an error capacity which 
is nothing else than T2{S). Note that BCH codes are nothing else than alternant 
codes, with benefits when the alphabet is F2. This was not published. 

Guruswami-Sudan's algorithm is in fact very general and can also be ap- 
plied to (one point) Algebraic Geometric codes as also shown by Guruswami 
and Sudan in [GS99j. By this manner, one also reaches the Johnson radius 



— \/n(n — d*) — 1, where d* is the Goppa designed distance. Contrarily 
to Reed-Solomon codes, it is possible, for a fixed alphabet Fg, to construct Al- 
gebraic Geometric codes of any length. In this context, it makes sense to try 
to reach the q-ary Johnson bound Tq{d), which is done in Guruswami's the- 
sis |Gur04| ■ at the end of Chapter 6. 

Apparently independently. Roth and Tal considered the list-decoding prob- 
lem in |TR03| . but only an one page abstract. Roth's book [RotOBj . where 
many algebraic codes are presented through the prism of alternant codes, con- 
siders the list-decoding of these codes and shows how to reach the g-ary Johnson 
radius Tq{d), where 6 is the minimum distance of the Generalised Reed-Solomon 
code from which the alternant code is built. Note that alternant codes were 
considered in |GS99| , but only the generic Johnson Bound Tqo (S) was discussed 
there. 

Among the alternant codes, the binary Goppa codes are particularly impor- 
tant. They are not to be confused with Goppa's Algebraic Geometric codes, 
although there is a strong connection which is developed in Section |4l These 
codes are constructed with a Goppa polynomial G{X) of degree r and if this 
polynomial is square-free, then the distance of these codes is at least 2r + 1 
which is almost the double of r, which is what would be expected for a generic 
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alternant code. In fact, using the statements in |Rot06) . and using the fact 
that the Goppa code built with G{X) is the same as the Goppa code built with 
G{X)'^, it is explicit that these codes can be list-decoded up to the radius 



But actually, the first author who really considered the list-decoding of binary 
Goppa codes is D. J. Bernstein [Ber08| . in a preprint which can be found on his 
personal web page. He uses a completely different approach than interpolation 
based list-decoding algorithms, starting with Patterson's algorithm Pat75i for 
decoding classical Goppa codes. Patterson's algorithm is designed to decode up 
to t errors, and to list-decode further, Bernstein reuses the information obtained 
by an unsuccessful application of Patterson's algorithm in a smart way. It is 
also the approach used by Wu |Wu08) in his algorithm for list-decoding Reed- 
Solomon and BCH codes, where the Berlekamp-Massey algorithm is considered 
instead of Patterson's algorithm. Notice that Wu can reach the binary Johnson 
bound T2((5), using very particular properties of Berlekamp-Massey algorithm 
for decoding binary BCH codes [Ber68[ [Ber84j . However, Wu's approach can 
apparently not be straightforwardly applied to Goppa codes. 

Organisation of the paper Section [5] is devoted to recall the list-decoding 
problem, the Johnson bounds generic or g-ary, and Section[3]to the definitions of 
the codes we wish to decode, namely alternant codes and classical Goppa codes. 
Section |4] shows how to consider classical Goppa codes as subfield subcodes of 
Algebraic Geometric Goppa codes. Then, using Guruswami's result in jGur04j . 
it is almost straightforward to show that these codes can be decoded up to the 
binary Johnson bound 62(71., d*), where d* ~ 2r + 1. However, this approach is 
far reaching, and the reader may skip Section HI since Section [5] provides a self- 
contained treatment of the decoding of alternant codes up to the g-ary Johnson 
bound. Essentially, this amounts to show how to pick the varying multiplicities, 
but we also study the dependency on the multiplicity. This enables us to give 
an estimation of the complexity of the decoding algorithm, which is quadratic 
in the length n of the code, when one is not too greedy. 

2 List-decoding 

First, recall the notion of list-decoding and multiplicity. 

Problem 2.1. Let C be a code in its ambient space F^. The list-decoding 
problem of C up to the radius e g [0, n] consists, for any y in F^, in finding all 
the codewords c in C such that d{c, y) < e. 

The main question is: how large can e be, such that the list keeps a reason- 
able size? A partial answer is given by the so-called Johnson bound. 

3 Classical Goppa Codes 

This section is devoted to the study of classical q-ary Goppa codes, regarded as 
alternant codes (subfield subcodes of Generalised Reed-Solomon codes) and as 
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subfield subcodes of Algebraic Geometric codes. Afterwards, using Guruswami's 
results |Gur04j on soft-decoding of Algebraic Geometric codes, we prove that 
classical Goppa codes can be list-decoded in polynomial time up to the g-ary 
Johnson bound. 



Context In this section, q denotes an arbitrary prime power and m, n denote 
two positive integers such that m > 2 and n < q^^. In addition L = (ai, . . . , a„) 
denotes an rt~tuple of distinct elements of F^m . 



3.1 Classical Goppa codes 

Definition 3.1. Let r be an integer such that < r < n. Let G E ¥q,l^[X] be 
a polynomial of degree r which does not vanish at any element of L. The g-ary 
classical Goppa code Tq{L, G) is defined by 



r,(L,G)^<^(ci,...,c„)eF" 



^ X 

1=1 



Oil 



mod (G(X)) 



3.2 Classical Goppa codes are alternant 

Definition 3.2 (Evaluation map). Let B = (/3i, . . . ,/3„) be an n-tuple of ele- 
ments of F^m, and L — (ai, . . . ,a„) denotes an n-tuple of distinct elements of 
Fgm . The associated evaluation map is: 

r VqAx] ^ 

I f{X) ^ (/3i/(ai),...,/3„/K)) ■ 

Definition 3.3 (Generalised Reed-Solomon code). Let B = (/3i, . . . , /?„) be 
an n-tuple of elements of F^™ . Let fc be a positive integer. The Generalised 
Reed-Solomon code (or GRS code) over F,™ associated to the triple {L,B,k) 
is the code: 

Gi?V (L, B, k) ^ {ev(/(X)) I / e F,,. [XUu] , 

where ev denotes the evaluation map in DefLnition l3.2l This code has parameters 
[n,fc,n- fc + 1],™ 0MS83I CMO, §8,p303 ). 

Definition 3.4 (Subfield Subcode). Let K he & finite field and M/K be a finite 
extension of it. Let C be a code of length n with coordinates in M, the subfield 
subcode C\k of C is the code 

C\K=Cr\K''. 

Definition 3.5 (Alternant code). A code is said to be alternant if it is a subfield 
subcode of a GRS code. 

In particular, classical (?-ary Goppa codes are alternant. Let us describe a 
GRS code over F,™ whose subfield subcode over F^ is r^(L, G). 

Proposition 3.6. Let r be an integer such that < r < n and G G Fgm [X] 
be a polynomial of degree r which does not vanish at any element of L. Then, 
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the classical Goppa code Tq{L,G) is the subfield subcode GRSqm{L, B,n — r)\^f , 
where B — (/3i, . . . , /3„) is defined by 

w ^ n 1 « ^ G{ai) 



Proof See |MS83) C/il2, §3,p340, r/im4. 



□ 



3.3 A property on the minimum distance of classical Goppa 
codes 

Let L = (ai , . . . , a„) be an n-tuple of distinct elements of F,™ and G € F,™ [X] 
be a polynomial of degree r > which does not vanish at any element of L. Since 
Tq{L, G) is the subfield subcode of a GRS code with parameters [n, n— r, r+1],™, 
the code Tq{L,G) has parameters [n, > n — mr, > r + 1], (see [Sti93| Lemma 
VIII.L3 and [M553] C/il2, §3,p339). 

In addition, it is possible to get a better estimate of the minimum distance 
in some situations. This is the objective of the following result. 

Theorem 3.7. Let L = (ai, . . . , a„) be an n-tuple of distinct elements of¥qm . 
Let G € ¥qm [X] be square-free polynomial which does not vanish at any element 
of L and such that < deg(G) < n/q. Then, 

r,(L,G«-i) = r,(L,G«). 

Proof (BLPlOj Theorem 4.1. □ 

The codes Tq{L,G'^~^) and rg(L, G'^) are subfield subcodes of two distinct 
GRS codes but are equal. The GRS code associated to G'~^ has a larger 
dimension than the one associated to C but a smaller minimum distance. Thus, 
it is interesting to deduce a lower bound for the minimum distance from the 
GRS code associated to G' and a lower bound for the dimension from the one 
associated to G'~^. 

This motivates the following definition. 

Definition 3.8. In the context of Theorem l3.7l the designed minimum distance 
of rq{L,G'^~^) is rfg^p = qdeg{G) + 1. It is a lower bound for the actual 
minimum distance. 

Remark 3.9. Using almost the same proof. Theorem 13.71 can be generalised as: 
let Gi, Gt be irreducible polynomials in F^m [X] and ei, . . . , et are positive in- 
tegers congruent to -1 mod q, then r,(L, Gf • • • G^*) = Tq{L, Gl^+^ ■ ■ ■ Gt*+^). 

4 List-decoding of classical Goppa Codes as Al- 
gebraic Geometric codes 

In this section, G denotes a smooth projective absolutely irreducible curve over 
a finite field F,. Its genus is denoted by g{C). 
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4.1 Prerequisites in algebraic geometry 

The main notions of algebraic geometry used in this article are summarised in 
what follows. For further details, we refer the reader to [Ful89 for theoretical 
results on algebraic curves and to |Sti93) and |VNT07) for classical notions on 
Algebraic Geometric codes. 

Points and divisors If k is an algebraic extension of the base field F™, we 
denote by C{k) the set of fc~rational points of C, that is the set of points whose 
coordinates are in k. 

The group of divisors Div|r^ (C) of C is the free abelian group generated by 

the geometric points of C (i.e. by C{¥q)). Elements of Divj^ (C) are of the form 

Q = X]pec(F ) '^pP^ where the ap's are integers and are all zero but a finite 
number of them. The support of Q — '^apP is the finite set 

Supp(g) ^ {F e CiWg) I ap ^ 0}. 

The group Divr, (C) of Fg-rational divisors is the subgroup of Divp (C) of 
divisors which are fixed by the Frobenius map. 
A partial order is defined on divisors: 

2? = ^ dpP >£ = Y. ^-P^ ^ VP e C{¥g), dp > ep. 

A divisor I? — ^ dpP is said to be effective or positive if 2? > 0, i.e. if for 
all P e C{¥q), dp > 0. To each divisor V = "^pdpP, we associate its degree 
deg(2?) e Z defined by deg(I?) = ^dp. This sum makes sense since the dp's 
are all zero but a finite number of them. 

Rational functions The field of F^-rational functions on C is denoted by 
Fg(C). For a nonzero function / £ F,(C), we associate its divisor 

(/)= E ^^(/)-^' 

Pec(l,) 

where vp denotes the valuation at P. This sum is actually finite since the 
number of zeroes and poles of a function is finite. Such a divisor is called a 
principal divisor. The positive part of (/) is called the divisor of the zeroes of 
/ and denoted by 

(/)o ^ E ^^(/)-^- 

PeC(F,), vp(f)>o 
Lemma 4.1. The degree of a principal divisor is zero. 

Proof jFul89| Chapter 8 Proposition 1. □ 

Riemann— Roch spaces Given a divisor Q G Divr^{C), one associates a vec- 
tor space of rational functions defined by = {/ € Fq(C) | (/) > — 0}U{O}. 
This space is finite dimensional and its dimension is bounded below from the 
Riemann-Roch theorem dim{L{Q)) > deg{Q) + 1 — g{C). This inequality be- 
comes an equality if deg{Q) > 2g{C) — 2. 
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4.2 Construction and parameters of Algebraic Geometric 
codes 

Definition 4.2. Let G be an Fg-rational divisor on C and Pi, . . . , P„ be a set 

of distinct rational points of C avoiding the support of G- Denote by V the 
divisor 2? = Pi + • • • + P„. The code ClCD, G) is the image of the map 



ev-D 



/ ^ {f{Pi),...J{Pn)) 



The parameters of Algebraic Geometric codes (or AG codes) can be esti- 
mated using the Riemann-Roch theorem and Lemma 14.11 

Proposition 4.3. In the context of Definition assume that deg(G) < n. 
Then the code CLi'DiG) has parameters [n, k,d]q where k > deg(fj) + l — g(C) and 
d>n- deg{G). Moreover, if 2g{C) - 2 < Aeg{G), then k = deg(^) + 1 - g{C). 

Proof. jSti93j Proposition IL2.2 and CoroUary IL2.3. □ 

Definition 4.4 (Designed distance of an AG code). The designed distance of 
Cl{V,G) is dl^^n-degiG). 



4.3 Classical Goppa codes as Algebraic Geometric codes 

In general, one can prove that the GRS codes are the AG codes on the projective 
line (see ISti931 Proposition IL3.5). Therefore, from Proposition 13. 6[ classical 
Goppa codes are subfield subcodes of AG codes. In what follows we give an 
explicit description of the divisors used to construct a classical Goppa code 
Tq{L, G) as a subfield subcode of an AG code. 

Context The context is that of Section [3] In addition. Pi , . . . , P„ are the 
points of of respective coordinates (ai : l),...,(a„ : 1) and Poo is the 
point "at infinity" of coordinates (1 : 0). We denote by T) the divisor T) = 
Pi H h P„ e DivF,„ (P^). Finally, we set 

n 

F{X)^l[{X-a,) e¥q^[X]. (3) 
1=1 

Remark 4.5. A polynomial H e Fg[A"] of degree d can be regarded as a rational 
function on P^ having a single pole at Poo with multiplicity d. In particular 
deg{H) <d-^{H)> ~dP^ ^ iJ e L(-dPoo). 

Theorem 4.6. Let G £ ¥qm [X] be a polynomial of degree r such that < r < n. 
Then, 

Tq{L,G) ^ Cl{V, A ~£)ir,, 

where A, £ are positive divisors defined by £ ^ and A = {F') + {n— l)Poo, 

where F' denotes the derivative of F. 

Remark 4.7. The above result is actually proved in |Sti93| (Proposition II. 3. 11) 
but using another description of classical Goppa codes (based on their parity- 
check matrices). Therefore, we chose to give another proof corresponding better 
to the present description of classical Goppa codes. 
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Proof of Theorem \4.6\ First, let us prove that A is well-defined and positive. 
Since F has simple roots (see ([3])), it is not a p-th power in Fgm[X] (where p 
denotes the characteristic). Thus, F' is nonzero. Moreover F' has degree < n—1 
(with equality if and only if n — 1 is prime to the characteristic). Remark 14.51 
entails (F') > -{n - l)Poo and A = {F') + {n - l)Poo > 0. 



Let us prove the result. Thanks to Proposition 13.61 it is sufficient to prove 
that CLiV,A-S) = GRSqm{L,B,n-r), where B = (;3i, . . . , /3„) with 

V»€{l,...,n}, ^^"'^ ■ (4) 

Notice that, 

Vi e {l,...,n}, F'ia^)^Y[ia,-aj). (5) 

Let i? be a polynomial in [X]<„„r. Remark |4 . 51 yields (H) > — (n— r— l)Poo 
and 



(^) = (G) + (ff) - (P') > i£-rPoo)-in-r-l)Poo-A+in-l)P^ 

> -(A-S). 



Thus, GH/F' e L{A - £) and, from dH) and ©, we have 

This yields GRSq..{L,B,n- r) CCl{V,A- £). 

For the reverse inclusion, we prove that both codes have the same dimension. 
The dimension of GRSq^^ {L, B, n—r) is n—r. For Cl(I?, A—£), we first compute 
deg(yl — £). By definition, deg(^) = deg((F')) +n — l which equals n — 1 from 
Lemma 14.11 The degree of £ is that of the polynomial G, that is r. Thus, 
deg{A — £) ~ n — 1 — r. Since r is assumed to satisfy < r < n and since 
the genus of is zero, we have 2g(G) — 2 = —2 < deg{A — £) < n. Finally, 
Proposition l4. 31 entails A\v[\Cl{'D ^ A — £) = deg{A — £) + l— g{C) = n — r, which 
concludes the proof. □ 

Remark 4.8. Another and in some sense more natural way to describe Tq{L, G) 
as a subfield subcode of an AG code is to use differential forms on P^. By this 
way, one proves easily that rq{L,G) — Cn{'D,£ — ^)|f, ■ Then, considering the 
differential form v = one can prove that its divisor is {i/) = A — V — Poo- 
Afterwards, using jSti93l Proposition II. 2. 10, we get 

C^{V,£ - P) ^CL{V,{iy) - £ + P + V) = Cl{V,A - £). 

The main tool for the proof of the list-decodability of classical Goppa codes 
is a Theorem on the soft-decoding of AG codes, this is the reason why we 
introduce our list-decoding algorithm by an Algebraic Geometric codes point of 
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4.4 List-decoding up to the g-ary Johnson radius 

Theorem 4.9 l' |Gur04j Theorem 6.41). For every q-ary AG-code C of block- 
length n and designed minimum distance d* = n—a, there exists a representation 
of the code of size polynomial in n under which the following holds. Let e > 
be an arbitrary constant. For 1 < i < n and A G Fg , let Wi_\ be a non- 
negative real. Then one can find in poly{n, q, 1/s) time, a list of all codewords 
c = (ci, C2, . . . , c„) of C that satisfy 



(n — 0?*) ui^j^ + e maxwi^A- {;*) 

i=l AGFg 

Using this result we are able to prove the foUowing statement. 

Theorem 4.10. In the context of Theorem \S. 7[ the code Tq{L,G'^~^) can be 
list-decoded in polynomial time provided the number of errors t satisfies 

where d*Q^p = qAeg{G) + 1 (see Definition \3.8\) . That is, the code can be list- 
decoded up to the q-ary Johnson bound associated to the best determination of 
the minimum distance. 

Proof. Set £ = (G')q and let 2? = Pi H h P„ be as in gl From Theorem [Q 

together with Theorem 14.61 we have 

r,(L, G«-i) - Cl{V,A- (q - l)f)|F, = CLiV,A~ )|f,, 

where A is as in the statement of Theorem 14.61 We will apply Theorem 14.91 
to CLi'DjA — q£). From Proposition 14.31 the designed distance of this code is 
^AG — n — deg{A} + qdeg{£). Since deg(^) ~ n — 1 and deg(iS') — deg(G), we 
get 

rf^G =gdeg(G) + l = d^„p. 

Let S and r be respectively the normalised designed distance and expected error 
rate: 

The approach is almost the same as that of |Gur04j §6.3.8. Assume we have 
received a word y £ F^' and look for the list of codewords in Tq{L, G*^^) whose 
Hamming distance to y is at most jn, with 7 < r. One can apply Theorem 14.91 
to CLi'D,A~q£) with 

{1 — T if X = yi 
T/{q-l) if AeFg\{2/,} . 
if AeF,™\Fg 

From Theorem 14. 9[ one can get the whole list of codewords of Tq{L,G'^~^) at 
distance at most from y in poly{n,q, 1/e) time provided 



(1 - 7)(1 - r) + 7 > ^(1 - -5) (^(1 - rf + + ^(1 - r). (7) 
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Consider the left hand side of the expected inequahty ([7]) and use the as- 
sumption -f < T together with the easily checkable fact Tq/{q — 1) < 1. This 
yields 



(l-7)(l-r)+7(^) - l-r-7(l-^) (8) 

2 

> l-2r+^ (9) 

^2 , 



> a-rr + — 7- (10) 

9-1 



On the other hand, an easy computation gives 



^2 , 



(l-rr + —^ = l-S. (11) 



Therefore, and (HD) entail 



(1 - 7)(1 - r) + 7 (^) >(1 + ^ - + ' 

which yields the expected inequality ([7]) provided e is small enough. 

□ 

A remark on Algebraic Geometric codes and one point codes In 

[Gur04 , when the author deals with AG codes, he only considers one point 
codes, i.e. codes of the form Cl(I?, sP) where P is a single rational point an 
s is an integer. Therefore, Theorem 14.91 is actually proved (in |Gur04) ) only 
for one point codes and is applied in the proof of Theorem 14.101 to the code 
Cl(I', ^ — f/f) which is actually not one point. 

Fortunately, this fact does not matter since one can prove that any AG code 
on is equivalent to a one point code. In the case of Cl{'D,A — q£), the 
equivalence can be described explicitly. Indeed, by definition of A and £ we 
have A-q£ = (F') + {n- 1)P^ - g(G) - q(deg(G))Poo. Set d = deg(G), then 
we get A — q£ = {F'C^) + (n — 1 — qd)Poo- Consequently, one proves easily that 
a codeword c — (ci, . . . , c„) is in Cl(2?, A — q£) if and only if (?7iCi, . . . , ijnCn) G 
Cl(I?, (n — 1 — qd)Poo), where i]i's are defined by 

Vze {l,...,n}, r],^F'{a,)GHa,). 



5 List decoding of classical Goppa codes as evalu- 
ation codes 

5.1 List-decoding of general alternant codes 

In this subsection, we give a self-contained treatment of the proposed list- 
decoding algorithm for alternant codes, up to the q-avy Johnson bound, without 
the machinery of Algebraic Geometric codes. 
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Definition 5.1. Let Q{X,Y) = T,ijQi3^'Y^ ^ ¥g^[X,Y] be a bivariate 
polynomial and s > be an integer. We say that Q{X,Y) has multiplicity at 
least s at (0, 0) G F^™ if and only if Qij = for all (», j) such that i + j < s. 

We say that Q has multiplicity at least s at point (a, b) G F^,„ if and 
only if Q{X + a,Y + b) has multiplicity s at (0,0). We denote this fact by 
mult {Q{X,Y),{a,b)) > s. 

Definition 5.2. For u,v £ N, the weighted degree wdeg„ y{Q{x, y)) of a poly- 
nomial Q{x,y) — J2 QijX^y-' is max{Mi + vy, {i,j) g N x N \Qij ^ 0}. 

Let a [n,kGiis,dGi^s]q'^ GKS{L, B,kGFis) code be given and consider the 
corresponding alternant code C = GRS^y ■ We aim at list-decoding up to 771, 
errors, where 7 is the relative list-decoding radius, which is determined further. 

Let 2/ G be a received word. The main steps of the algorithm are the 
following: Interpolation, Root-Finding, Reconstruction. Note that an auxiliary 
s G N\{0} is needed, which is discussed further, and appropriately chosen. Now 
we can sketch the algorithm. A pseudo-code is detailed further, see Algorithm 

HI 

1. Interpolation: Find Q{X,Y) = J2Qi{X)Y' e ¥gm[X,Y] such that 

(a) (non triviality) Q{X,Y) ^0; 

(b) (interpolation with varying multiplicities) 

. muh(Q(X, Y), (a„ y,/3ri)) > ,s(l - 7); 

. muh(Q(X, Y), (a„ z/3ri)) > for any z G F, \ {yj; 

(c) (weighted degree) wdeg^ j,^^^, Q{X, Y) < sn (^{l ~ 7)^ + ; 

2. Root-Finding: Find all the factors {Y-f(X)) of g(X, F), with deg /(X) < 

3. Reconstruction: Compute the codewords associated to the /(X)'s found 
in the Root-Finding step, using the evaluation map ev^^^. Retain only 
those which are at distance at most from y. 

Lemma 5.3 ( |GS99] ). Let u be an integer and Q{X,Y) be a polynomial with 
multiplicity s at (a, b). Then, for any f{X) such that f{a) = b, one has {X—aY \ 
QiXJiX)). 

Proposition 5.4. Let y be the received word, and Q{X, Y) satisfying condi- 
tions \lal\lb[ and[T^above. Let f{X) be a polynomial such that deg f{X) < kcRs 
and accordingly, let c = evL^B{f{X)). If d{c,y) < ^n, then Q{X, f{X)) — 0. 

Proof. Assume that d{ey{f{X)), y) — 6n < jn. Set / = {i, f{xi) — yi(3^^] and 
J A {ij(xi) ^ y^P~^}■ Obviously we have |/| = n{l ~ 6) and |7| = 0n. Note 
that, from Lemma [Ol Q{X, f{X)) is divisible by 

lliX - aO^'^'"^^^ X 1[{X - a,)r^^/(9-i)l , 

is/ jg7 
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Algorithm 1 List decoding of alternant codes up to the g-ary Johnson bound 
Subroutine: 

Interpolation(constraints,fc — 1) finds a polynomial Q{X,Y) satisyfing 
the constraints [Tal llb[ and [Tel 
Input: 

L = (ai, . . . ,a„) 

The associated evaluation map ev 
koRS 

C, the alternant code GRS{{ai), (A ) j ^Gfls) |f<, 

The relative decoding radius 7 = (1 — e)r 

The received word y € 
Output: The list of codewords c £ C such that d{c, y) < jn 
1; s,£ < — Paranieters(n, A:(3i^5, e), according to Equations and (j36p . 
2; constraints -s— [] 
3; for i = 1 to n do 
4: for z e F, do 
5: if z — yi then 

6: constraints -s— constraints U {(a^, z/3j^^), [s(l — 7)] }; 

7: else 

8: constraints -s— constraints U |(ai, zf3^^), [^tj-] |; 

9: Q{X,Y) -s— Interpolation(constraints,fc — 1) 

10: F^{f{X) \iY-fiX))\QiX,Y)} 

11: Return {c = f{X) \ f{X) € F and deg /(X) < fc - 1 and d(c, < 771} 



which is a polynomial of degree D = n{l — 9) \s{l — 7)] +n9 



9-1 



This degree 



is a decreasing function of for 7 < since it is an afhne function of the 
variable 6, whose leading term is 



dn \s{l - 7)1 + 



57 



< 0. 



The minimum is reached for = and is greater than sn ^(1 — 7)^ + 



Thus, D > sn y^l — 7) + j • On the other hand, the weighted degree con- 
dition imposed Q{X,Y) implies that degQ{X, f{X)) < sn (^(1 - 7)^ + ^)). 
Thus Q(X,/(X)) = 0. □ 

Proposition 5.5. LetScBS — ^^^7^ relative minimum distance of a GRS 

code as above, defining an alternant subcode overWq. Set 



A 9 - 1 

T = 



i-Ji- 



>GRS 



(12) 



Then, for any 7 < r, there exists s large enough such that a polynomial Q{X, Y), 
satisfying the three previous constraints \la[ UR and[I^ always exists, whatever 
the received word. 

Proof. To make sure that, for every received word y, a non zero Q{X,Y) ex- 
ists, it is enough to prove that we have more indeterminates than equations in 
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Figure 2: Behaviour of the ^(7) function, for 7 G [0, 1], with q ^ 2. 

the Hnear system given by llb[ and [Tel since it is homogeneous. That is (see 
Appendix), 



(14) 



2{k-l) \\ 2 J \ 2 

which can be rewritten as, 

((l-7)» + ^)'>fl'((l-7)' + ^ + i). 

where R' = ^'^"^f~^ - Thus, we find that fi = ^(7) = (1 - 7)^ + ^ must satisfy 
/i^ — R'fi — — > 0. The roots of the equation /i-^ — — — = are 



R' - + 4^ R' + y'i?'2 + 4^ 
Mo = ^ , /ii = ^ 

Note that the function /i(7) is decreasing with 76 [0, 1 — i], as shown on Fig [5] 
for the particular case q — 2. Only /ii is positive and thus we must have ^ > /ii, 
i.e. 

(1-7)' + ^> Ml- (15) 
Again, we have two roots for the equation (1 — 7)^ + = /ii, namely: 



70 = ^ (1 - ) (16) 



71 = ^ ((1 + Jl + ^(1-/^1) ) • (17) 
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Only 7o < , and thus we must have 



7 < 70 



1 



(1 



1 



q 



q ' V 

Then, when s — )■ oo, we have /^i — i?', and we get 

Q-l 



7 < T = 



1- Wi- 



q \ V 

Usmg the fact that kens — 1 = n — dG/jg, i.e i?' = 1 — Sgrs, we get 

9-1 



(18) 



(19) 



q 



which the (?-ary Johnson radius. 



1- Wi- 



q 

q-i 



'GRS 



□ 



The previous Proposition proves that this method enables to list-decode any 
alternant code up to the g-ary Johnson bound. This bound is better than the 
error correction capacities of the previous algorithms [GS99i |Ber08| . For the 
binary case, we plot in Figure 12] the binary Johnson bound (weighted multiplic- 
ities, this paper), the generic Johnson bound (straight Guruswami-Sudan, or 
Bernstein), and the unambiguous decoding bound (Patterson). As usually, the 
higher the normalised minimum distance is, the better the Johnson bound is. 



0.5 
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Figure 3: Comparison of the relative error capacities of different decoding al- 
gorithm for binary alternant codes — This applies to binary square-free Goppa 
codes. 



5.2 Complexity Analysis 

The main issue is to give explicitly how large the "order of multiplicity" s has 
to be, to approach closely the limit correction radius, t{5gb.s) as given by ([T^. 
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Lemma 5.6. To list-decode up to a relative radius of j — (1 ~s)t, it is enough 
to have an auxiliary multiplicity s of size C(j-), where the constant in the big-O 
depends only on q and on the pseudo-rate R' = ''°"",f ~^ of the GRS code. 

Proof. To get the dependency on s, we work out Equation (jlSp . Let us denote 
by 7(5) the achievable relative correction radius for a given s. We have 



7(s) = ^ (1 - a/i-^(1-A*^)) ) . (20) 



with /ii(s) = — — ^^"2 ^. We use that vT+x < 1 + f , for all x > 0. First, 

we have the bound: 



R' + JR'^ + A^ 
Ms) = (21) 



<^(^+(^ + A^]] (23) 



2 V V 2si?' 

= R' + -. (24) 
s 



Now, calling Kg{R') the quantity 1 — 7-^(1 — R'), we compute: 



lis) - ^ (1 - a/i-^(1-A*^)) ) (25) 



+ (27) 



+ ,28) 



q \ V V q-lsKq{R') 

'^'^^-./^^yi / (31) 



1 



2s^KjW) 



(32) 



^(^ 2sT,/KjRr)) ^^^^ 
Thus, to reach a relative radius 7 = (1 — £)r, it is enough to take 

s= / =g(-)- (34) 
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□ 



The most expensive computational step in these kinds of list-decoding algo- 
rithms is the interpolation step, while root-finding is surprisingly cheaper [APOOl 
IRROO] ■ This is the reason why we focus on the complexity of this step. We 
assume the use of the so-called Koetter algorithm jK6t96j (see for instance 
[TrilOi IKMVIO] for a recent exposition), to compute the complexity of our 
method. It is in general admitted that this algorithm, which also may help in 
various interpolation problems, has complexity 0{lC^), where I is the F-degree 
of the Q{X, Y) polynomial, and C is the number of linear equations given by the 
interpolation constraints. It can be seen as an instance of the Buchberger-MoUer 
problem |MB82| . 

Corollary 5.7. The proposed list-decoding runs in 



e " 



(35) 



field operations to list-decode up to (1 — e)r • n errors, where the constant in the 
hig-O depends only on q and the pseudo-rate R' . 

Proof. Assume that we would like to decode up to — n{l — e)r. The number 
of equations given by the interpolation conditions can be seen to be 0(ns'^) (see 
Equation (fT3|) ). Now, the list size i is bounded above by the F-degree of the 
interpolation polynomial Q{X, Y), which is at most 



S7l((l -7)2 + 



(36) 



fc-i 



Fitting s = 0(i), we conclude that this method runs in 



for fixed R' 
©(n^e-S). 

Regarding the Root-Finding step, one can use |RROO| . where an algorithm of 
complexity 0{l^k'^) is proposed, assuming q is small. Indeed, classical bivariate 
factorisation or root finding algorithms rely on a univariate root-finding step, 
which is not deterministic polynomially in the size of its input, when q grows. 
But our interest is for small q, i.e. 2 or 3, and we get 0{s^n?'), which is less than 
the cost of the interpolation step. □ 

Corollary 5.8. To reach the non relative q-ary Johnson radius: 



q-1 



n 1- Jl 



q doRS 



1 



q \ \l q — 1 n 
it is enough to have s — 0{-^). Then, the number of field operations, is 

where the constant in the big-O only depends on q and R' . 
Proof. It is enough to consider that 

'q-i 



= nr(l - e). 



with £ = 0(i). 



□ 
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Generic list-decoding 


Bernstein 


Binary list-decoding 








n — \/ n(n — 2t) — 1 


n - ^n(n - 2i - 2) 





Table 1: Comparison of the claimed decoding radii in terms of t, the degree of 
the square-free polynomial G{X) using to construct the Goppa code. 



5.3 Application to classical binary Goppa codes 

The most obvious application of this algorithm is the binary Goppa codes de- 
fined with a square-free polynomial G (we do not detail the result for the general 
q-ary case, which is less relevant in practice). Indeed, since we have 

r2(L,G) = r2(L,G2), 

both codes benefit at least from the dimension of r2{L, G) and the distance of 
r2{L,G^). Thus, if degG — t, we have the decoding radii given in Table [TJ In 
addition, we compare in Table[2]the different decoding radii for practical values. 



Algorithm 2 List-decoding of binary Goppa codes 
Require: 

L = (ai, . . . ,a„) 

A Goppa polynomial G, square-free 
The corresponding Goppa code C = T2{L, G) 
The associated evaluation map ev 
The relative decoding radius 7 = (1 — e)T 
The received word y e 
1: View r2(L,G) as r2(L,G2) 

2: Consider the Generalised Reed-Solomon code GRSqm[L, B,k) above 

r2(L,G2) 

3: Use Algorithm [T] to find all the codewords at distance 771 of y 



A The number of unknowns 

Proposition A.l. Let Q{X,Y) E ¥[X,Y] be a bivariate polynomial such that 
wdegi i._iQ{X,Y) < D. Then, the number N^-i^d of nonzero coefficients of 
Q(X,Y) is larger than or equal to 

(37) 



2(fc- 1) 
Proof. Let us write 

g(x,y) = ^Q,y\ 



i=0 
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n 


k 


t 


Guruswami-Sudan 


Bernstein 


Binary list-decoding 


16 


4 


3 


4 


4 


5 


32 


2 


6 


7 


8 


9 


64 


16 


8 


9 


9 


10 


(i4 


4 


10 


11 


12 


i;-! 


128 


23 


15 


16 


17 


18 


128 


2 


18 


20 


20 


22 


256 


48 


26 


28 


28 


30 


256 


8 


31 


33 


34 


36 


512 


197 


35 


36 


37 


38 


512 


107 


45 


47 


48 


50 


512 


17 


55 


58 


59 


G3 


1024 


524 


50 


51 


52 


53 


1024 


424 


60 


62 


62 


74 


1024 


324 


70 


73 


73 


76 


1024 


224 


80 


83 


84 


88 


1024 


124 


90 


94 


95 


100 


2048 


948 


100 


103 


103 


105 


2048 


728 


120 


124 


124 


128 


2048 


508 


140 


145 


146 


151 


2048 


398 


150 


156 


157 


163 


2048 


288 


160 


167 


167 


175 


2048 


178 


170 


178 


178 


187 



Table 2: Comparison of the error capacities of different decoding algorithms for 
square-free binary Goppa codes, with respect to the length n, the dimension k, 
and the degree t of G{X). 



with degQj{X) < D - {k - and i maximal such that (fc - l)i < D. Then 

e 

Nk-i,D=Y,{D-{k-l)i) (38) 

i=0 

= {i+l)D-{k-l/-^^ (39) 
=(^+l)(D-(fc-l)0 (40) 

=(^+l)§ (42) 

□ 



(D-^) (41) 
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B The number of interpolation constraints 

The following proposition can be found in any book of computer algebra, for 
instance |CL092j . 

Proposition B.l. Let Q{X, Y) E ¥[X, Y] be a bivariate polynomial. The num- 
ber of terms of degree at most s in Q{X, Y) is (^^^) • 

Corollary B.2. The condition imilt{Q{X,Y)), {a,b)) > s imposes {''^^) linear 
equations on the coefficients of Q{X,Y). Let {ai,bi) G be points and Si G N 
be multiplicities, i E [1, J^]- Then the number of linear equations imposed by the 
conditions 

mult(Q(X,r),(a„6,)) > i&[^,ri], (44) 

is 
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